winafl icon indicating copy to clipboard operation
winafl copied to clipboard
verified publisher icon googleprojectzero

drrun only run once with a specific program and does not generate logs

Open rajeemm opened this issue 5 years ago • 4 comments

Hi,

I'm trying to fuzz-test my program using the instrumentation mode of DynamoRIO. However, it looks like my program is NOT running correctly under DynamoRIO.

I'm Running: drrun.exe -c winafl.dll -debug -coverage_module mycode.exe -target_module mycode.exe -target_offset 0xB0F00 -fuzz_iterations 10 -nargs 0 -- "<path>\mycode.exe".

This only runs my program once (I know by the number of prints) print every print inside my function (and nothing else), and exit. It does not generate any logs.

I added a print placed right before the function's end, so it does not look like my function aborts unexpectedly (no exit()). Also, Procdump does not detect any crash.

Any ideas?

Sanity Tests:

  • Running drrun.exe with test_gdiplus.exe instead works perfectly (run 10 times, and the log is created).
  • Running another simple program (that I just compiled) that only prints works fine as well (but that's not the real program I'm trying to fuzz-test).
  • Wrap my function with a for loop (to run 10 times), and run it manually (without drrun) from the main function works perfectly (so it does not look like there is unexpected exit()).

Additional Details:

  • OS Win 10 (19042) x64. [Also tried with Win7 x64 VM, and got exactly the same issue].
  • I compiled DynamoRIO-Windows-8.0.18585 x64 with the latest winafl.
  • My program is x64 and was compiled with MSVC.
  • The target offset was calculated using WinDbg by subtracting the module base from the function address.

Thanks!

rajeemm avatar Dec 14 '20 16:12 rajeemm

Strange that the log doesn't get created at all as creating the log file should be one of the first thing it does when -debug is specified. Can you verify that all three (drrun.exe, winafl.dll and target) are built for the same architecture (32-bit vs 64-bit). Does drrun.exe print anything in the terminal?

ifratric avatar Dec 15 '20 19:12 ifratric

Hi,

Indeed very strange. I verified the architecture of the three files again, all are x64 (verified this time by looking at the file structure themselves, all contain PE d†). drrun.exe does not print anything in the terminal other than my program prints. My program prints include prints that are at the very end of the program, as I described.

Any thoughts?

P.S. I even did another sanity test: I also made it work by commenting out all of the code in my program (and make drrun calling an empty function with only one print). I couldn't be able to pinpoint the exact code in my program that interferes with drrun. The program uses threads, but I don't see any limitation regarding that in the winafl docs.

Thanks!

rajeemm avatar Dec 16 '20 09:12 rajeemm

If this really is due to some incompatiblity with DynamoRIO, an alternative is to try the newly released https://github.com/googleprojectzero/Jackalope. It uses completely different instrumentation so it might work better for you. Note that the command line is somewhat different.

ifratric avatar Dec 16 '20 09:12 ifratric

Thanks, I get much further with that fuzzer; however, I still got an issue. I think the underlying cause might be the same. WDYT?

Thanks!

EDIT: Jackalope fuzzer worked. I leave this issue open (feel free to close if you think it better)

rajeemm avatar Dec 20 '20 09:12 rajeemm